For Ransom: Your Medical Records

It started out as a data breach like many others. The hackers penetrated the computer network of a small medical practice in a wealthy suburb of northern Illinois, The Surgeons of Lake County, and broke into a server containing email and electronic medical records. But instead of sneaking out undetected and selling the stolen data on the black market, they took a novel tack — encrypting the data and posting a message demanding a ransom payment in exchange for the password.

The move from fraud to extortion in cases of data compromise is frightening for several reasons. First, it suggests that the criminals knew exactly what they were doing, and that they deliberately targeted digital medical records as part of a well articulated strategy — an approach that we can expect to see employed more frequently as the digitization of records and broadening of access become the norm in the health care industry. Secondly, this M.O. implies a tremendous confidence in the criminals’ power to disrupt — and a calculation that the illicit ROI from blackmail would exceed the price that the data would command on the black market.

All of this is ultimately made possible by the digitization of medical records and the placement of those records on networks — often unprotected ones. It gets you thinking…

Would you post your medical records to your Facebook profile? Share a CAT scan via Instagram? Discuss your prescription history with your network on LinkedIn? Not likely. Even if every single one of your Facebook “friends” really is a friend, the idea of such personal information falling into the hands of strangers is damn hard to stomach — especially if those strangers happen to be criminals looking to make a quick killing and you are the roadkill.

But what if the server where that information is living belongs, not to Facebook or LinkedIn, but to a health information exchange — a computer network designed to put your medical information and that of millions of other patients within easy reach of medical professionals throughout our nation’s health care network?

The truth is that it may be there already, whether you know it or not. There are at least 255 health information exchanges across the United States so far, including 17 each in New York and Texas, 12 in Florida, and 10 each in California and Michigan, and that number is increasing at a steady clip. Their growth has been spurred partly by federal grants awarded to incentivize medical professionals to actively participate and promote the ongoing makeover of the health care system, and partly by the obvious efficiencies inherent in such a centralized and frictionless approach.

In a perfect world, this would not be a problem — and could be a solution. There are tremendous benefits to be derived from having a patient’s medical data available to practitioners throughout the health care network — from GPs and pharmacists to surgeons, radiologists, lab technicians, and emergency response teams. To have current, accurate, and reliable data about a patient’s medical history just a click away — whether the issue is urgent or routine — will save money, time, and, of greatest import, lives.

If you doubt that last assertion, consider this: it has been estimated that a million and a half people are hospitalized annually in the United States due to adverse reactions to mis-prescribed and overprescribed medications, and some 100,000 die each year from adverse reactions to mis-prescribed drugs. How many of those deaths and hospitalizations might have been avoided by having an accurate patient record close at hand? When you reflect upon the full range of medical errors that take place each year due to missing or inaccurate patient data — from unnecessary surgeries to under-the-radar cancers — the value is clear.

Then again, in a perfect world, a shopkeeper could stock the shelves, post the prices, and leave for the day — secure in the knowledge that people are honest and will pay for whatever they take.

This is not a perfect world. And that is why some people find health information exchanges so scary.

Unfortunately, not everyone follows the core precept of medical ethics first stated by Galen: “First, do no harm.” Indeed, our society has learned the hard way that where there’s a weakness, there’s a weasel waiting to exploit it. And a database brimming with sensitive data is exploitation waiting to happen.

We all know that digitized health records have long been a target for identity thieves, and the list of major data breaches involving hospitals and other health care facilities is a long one. In fact, as Bloomberg reported recently, medical providers suffer more breaches than any other type of organization, with an astonishing 690 data breaches involving 23 million records since 2005.

The Surgeons of Lake County scenario is frightening, in part, because it can be (and has been) applied far beyond the world of medical records — in the private sector, certainly, but also in government. Imagine a wave of database kidnappings-by-encryption targeting not just health information exchanges and other medical practices, but banks, insurance companies, government agencies, even military facilities. Clearly, such a scenario must be avoided — even if that requires significant changes in the way we store, transmit, use, and protect sensitive digital information.

Even within the realm of health care, however, we are seeing the early signs of a potential catastrophe — one that will be difficult to avoid precisely because the case for digitizing and centralizing medical information is so strong at every other level. The digitization of medical records may make a whole lot of folks queasy, but it is also smart and efficient, offering a huge opportunity to save both money and lives. It is, in fact, inevitable. Unfortunately, so are data breaches, and the identity compromises that will follow.

We need to be deadly serious here because we’re not talking just money anymore. Lives are literally at stake. Up to now, the federal government has taken a hands-off posture with respect to the workings of health information exchanges, leaving it up to the states to determine how patients’ data will be treated — and whether they will even be told that their information is being shared, or given the choice of opting out. Even when patients are brought into the loop, they must balance the privacy advantages of opting out against the medical risks of being outside the system — and thus losing the advantages of more rapid, more accurate diagnosis and treatment.

No patient should have to make such a life-or-death choice. As our society moves toward digitization and sharing of a wide range of extremely sensitive data, it is essential that we find approaches to information security that rest on a solid foundation — that are capable of enabling technological and social advances while protecting both the privacy of individuals and the security of our institutions. Wishful thinking won’t cut it. Neither will complacency. If digital information is the bedrock on which our society now rests, we have some serious work to do. If we don’t do it, there’s a shaky, scary future ahead.

So far all we think we know about the Lake County incident is that no ransom was paid, the server has been shut off, the police are involved, the patients have been notified and credit monitoring has been offered to those who face exposure in one form or another. We don’t know if the hackers made copies of the files before they encrypted them and have already sold them on the black market, if the server was backed up and/or if the data was destroyed. Anyone clever enough to pull this off is smart enough not to begin using the data for a while anyway. We don’t know if other businesses in the area were hacked as well.

What we do know is that this isn’t the first hacking/ransom incident, nor will it be the last.

I support digitization provided the prime directive is security and not simply convenience. I, for one, do not feel a whole lot of comfort walking into my doctors’ offices and seeing a wall of open filing cabinets filled with patient files ripe for the plucking by an opportunistic passerby, an unscrupulous employee or unwelcome nighttime visitor. Do you?